Around 10pm on February 2, 2017, a finance department employee at Asbury Communities, Inc., a Maryland-based company that manages retirement communities in four states, received an email requesting W-2 forms for all the company’s employees. The email came from the CEO and referenced other upper level management. This particular employee, known around the office for her eagerness and responsiveness, responded and sent the W-2 forms that very night. It wasn’t until the next morning when she asked the CEO if he had received the email that they realized they had become a victim of cybercrime.
Unfortunately, Asbury Communities fell prey to a type of cybercrime scheme sometimes referred to as the “business email compromise.” Criminals carry out this scheme by compromising legitimate business email accounts through phishing or other social engineering. Criminals often attempt to gain access to an upper-level employee’s email account, and then send a request for funds or sensitive information to a lower-level employee. The fraudulent emails may request the recipient act quickly and without alerting others.
According to the FBI, financial losses due to business email compromise attacks have increased 1,300% since January 2015. Further, between October 2013 and May 2016, the FBI reports that there was a total of 14,032 U.S. victims of the business email compromise scam with $960,708,616 in losses. There were victims in all 50 states and in 100 foreign countries.
While the business email compromise targets businesses and their employees, hackers use similar methods to target individuals.
Don’t Be the Next Victim
At Black Cypress, we strive to maintain cybersecurity policies and procedures that prevent these types of attacks. Additionally, we offer our clients insight on the latest cybersecurity trends. As part of those efforts, we are outlining below three steps individuals can take to reduce the probability of becoming a victim of cybercrime. Though not exhaustive, the list functions as a good starting point for cybersecurity preparedness.
1. Enable Two-Factor Authentication
Two-factor authentication is a security measure that requires two pieces of information to authenticate the user: something you know (a password) and something you have (a phone, token, or app). For example, the two factors to gain access to an email account could be a password and a one-time code sent to the account owner’s phone. Most of the popular email services such as Gmail allow two-factor authentication. Generally, this security measure reduces the threat of unauthorized access to information because an attacker would need the password and the phone or other device that functions as the second factor. We highly recommend that clients enable two-factor authentication on all accounts that contain sensitive information, such as bank and investment accounts and email.
2. Use Password Management
Old, weak passwords are often the chink in the armor when hackers target a victim. And using the same password for all your apps and websites gives hackers access to all your information if they crack just one. However, most of us don’t have the ability to memorize multiple strong passwords. That’s where password management apps, such as 1Password, LastPass, or Dashlane can come in handy. All you have to do is remember one good password, and the password management app will store the rest of your passwords securely. Password management provides an excellent defense against hacking because it enables users to create complex, random, and unique passwords for all their websites and apps. It also facilitates frequent password changes, another strong defense against hacking.
3. Keep Software and Apps Up-to-Date
Another crucial step in defending yourself from cyber attacks is keeping software, hardware, and apps up to date with the latest versions or security patches. While it may be tempting to ignore that security update pop up, there is a reason it is being released: someone has found an exploitable weakness. Like electricity, hackers will follow the path of least resistance. Devices without the latest security updates simply make a hacker’s job easier, and thus those without updated software increase their likelihood of becoming victims.
With “earnings” in the millions, cybercrime is a profitable business. Criminals in this industry look for easy targets and follow the path of least resistance. Fortunately, there are steps individuals can take to make themselves less attractive targets. Two-factor authentication greatly reduces the risk of an unauthorized person gaining access to sensitive information. Password management makes hacking passwords more difficult and mitigates damage if one is hacked. And finally, the latest security updates will prevent a hacker from exploiting known weaknesses in software, hardware, and apps.
At Black Cypress, we strive to find innovative ways to benefit our clients. Since so many products and services in the investment advice industry are now delivered electronically, we want our clients to feel confident and secure as they navigate this landscape. If you have any questions about how the firm assists clients with cybersecurity or about cybersecurity in general, please feel free to contact us at email@example.com or 904-553-1598.